From 8a798865419f4b416d8c46ae12dd73cb311b61bd Mon Sep 17 00:00:00 2001
From: "C. McEnroe" <june@causal.agency>
Date: Fri, 20 Aug 2021 15:57:50 -0400
Subject: Explicitly clear TLS secrets after handshake

Ported from catgirl ae64d277b8204c156a30d2e8b6a958e5a31f2a7f.
---
 server.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/server.c b/server.c
index c84320a..d970deb 100644
--- a/server.c
+++ b/server.c
@@ -41,12 +41,13 @@
 #include "bounce.h"
 
 static struct tls *client;
+static struct tls_config *config;
 
 void serverConfig(
 	bool insecure, const char *trust, const char *cert, const char *priv
 ) {
 	int error = 0;
-	struct tls_config *config = tls_config_new();
+	config = tls_config_new();
 	if (!config) errx(EX_SOFTWARE, "tls_config_new");
 
 	if (insecure) {
@@ -89,7 +90,6 @@ void serverConfig(
 
 	error = tls_configure(client, config);
 	if (error) errx(EX_SOFTWARE, "tls_configure: %s", tls_error(client));
-	tls_config_free(config);
 }
 
 int serverConnect(const char *bindHost, const char *host, const char *port) {
@@ -150,6 +150,7 @@ int serverConnect(const char *bindHost, const char *host, const char *port) {
 		error = tls_handshake(client);
 	} while (error == TLS_WANT_POLLIN || error == TLS_WANT_POLLOUT);
 	if (error) errx(EX_PROTOCOL, "tls_handshake: %s", tls_error(client));
+	tls_config_clear_keys(config);
 
 	return sock;
 }
-- 
cgit 1.4.1